Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support rootless plugin containers #24236

Merged
merged 4 commits into from
Nov 28, 2023

Conversation

tomhjp
Copy link
Contributor

@tomhjp tomhjp commented Nov 22, 2023

  • Pulls in github.com/go-secure-stdlib/[email protected] which exposes a new Config.Rootless option to opt in to extra container configuration options that allow establishing communication with a non-root plugin within a rootless container runtime.
  • Adds a new "rootless" option for plugin runtimes, so Vault needs to be explicitly told whether the container runtime on the machine is rootless or not. It defaults to false as rootless installs are not the default.
  • Updates run_config.go to use the new option when the plugin runtime is rootless.
  • Adds new -rootless flag to vault plugin runtime register, and rootless API option to the register API.
  • Adds rootless Docker installation to CI to support tests for the new functionality.
  • Minor test refactor to minimise the number of test Vault cores that need to be made for the external plugin container tests.
  • Documentation for the new rootless configuration and the new (reduced) set of restrictions for plugin containers.
  • As well as adding rootless support, we've decided to drop explicit support for podman for now, but there's no barrier other than support burden to adding it back again in future so it will depend on demand.

@tomhjp tomhjp requested review from a team as code owners November 22, 2023 13:12
@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Nov 22, 2023
@tomhjp tomhjp added this to the 1.16.0-rc1 milestone Nov 22, 2023
@tomhjp tomhjp force-pushed the vault-20650/support-rootless-plugin-containers branch from b4c277a to 86170bc Compare November 22, 2023 13:17
@tomhjp tomhjp requested a review from schavis November 22, 2023 13:18
@tomhjp
Copy link
Contributor Author

tomhjp commented Nov 22, 2023

cc @schavis for the docs updates.

Copy link

Build Results:
All builds succeeded! ✅

Copy link

github-actions bot commented Nov 22, 2023

CI Results:
All Go tests succeeded! ✅

@tomhjp
Copy link
Contributor Author

tomhjp commented Nov 28, 2023

Thanks!

@tomhjp tomhjp merged commit 030bba4 into main Nov 28, 2023
111 checks passed
@tomhjp tomhjp deleted the vault-20650/support-rootless-plugin-containers branch November 28, 2023 14:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants